Firewall in Proxmox OpenVZ Container

If you set up an OpenVZ container and would like to add a firewall you might run into issues. Unlike as in fully virtualized environments with KVM your isolated container depends on the host kernel. Access to kernel features and certain modules is configured per container on the host.

Let’s say you created your container based on a Ubuntu template. It’s only natural that you would want to use the ufw front-end for managing your iptables. But it won’t work as expected.

The many problems you have to workaround or to fix are documented on some sites, for example on this blog.

Of course it’s not complicated to write some basic rules and create your own firewall script. See this blog post from Dean Gerber as an example. But if you want the comfort coming from a package with a documented configuration file you have to look out for one that works.

One that works nicely is apf („apf – easy iptables based firewall„, package description). The package is named „apf-firewall“ on Ubuntu. You only have to be aware of the following:

Activate module workaround

Inside your container, edit /etc/apf-firewall/conf.apf. You have to set the „MONOKERN“ option to 1.

# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.

Take a look at the IFACE_IN and IFACE_OUT options and add your untrusted network interface. Depending on your setup this could be the „venet0“ interface (run ifconfig when not sure).

Add missing iptables kernel modules

On your Proxmox host, take a look at your /etc/vz/vz.conf configuration file (this is the global configuration) or your container specific one (below conf/) and search for the IPTABLES parameter. As the comment says: „IPv4 iptables kernel modules to be enabled in CTs by default„. Depending on the options you set with apf you might need additional modules to be allowed in your container. For example, I usually add parameters like ip_conntrack, ipt_LOG, ipt_state or iptable_nat.

Please note: If you set up a cluster make sure that you added the kernel modules to the vz.conf on every cluster node. Otherwise you run into trouble when migrating a container.

Increase ressources of the container

Remember that the ressources of your container are not unlimited. They are never, but of course in a virtualized environment likely even more than expected. If you configure the apf-firewall via the /etc/apf-firewall/conf.apf file the number of rules is a direct result of your settings. If you like the idea of „Remote Rule Imports“ (I do) chances are you run into limits.

Everyone of the remote rules leads to downloads of lists, for example a list of identified spammers and spambots or stolen ‚zombie‘ netblocks. For the sake of convenience let’s pretend you apf-firewall downloads a list of 100 IP addresses and creates 100 filter rules out of it. When running „apf -r“ to set up the firewall you will see lots of messages like „iptables: Memory allocation problem„. You then have to increase the number of iptables (netfilter) entries. You do this on the host with the following command:

vzctl set <node-id> --numiptent 1500 --save

The <node-id> is the number of your container (see the list of your nodes with vzlist, but you know that). The number 1500 is just an example. How do you find out what you need? You will utilize the proc filesystem and take a look at the user_beancounter entry. Run something like

egrep "failcnt|numiptent" /proc/user_beancounters

inside your container, as suggested on this blog. Don’t set the value to low if you use Remote Rule Imports in combination with auto-updates (SET_REFRESH parameter).

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.